PrepNexus Privacy Policy

Effective Date: 29th July 2025

PrepNexus ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our exam preparation service, including our website, mobile applications, and subscription platform (collectively, the "Service").

By using our Service, you acknowledge that you have read and understood this Privacy Policy. Your use of our Service and our processing of your personal data is based on the lawful bases described in Section 2 below. If you do not agree with the practices described here, please do not use our Service.

1. Information We Collect

Personal Information You Provide

We collect personal information that you voluntarily provide to us when you:

Account Registration:

  • Name (first and last)
  • Email address
  • Password (encrypted)
  • Phone number (optional)

Subscription and Payment:

  • Billing address
  • Payment method information (processed securely through third-party payment processors)
  • Subscription preferences and plan selection

Profile and Preferences:

  • Study goals and target exams
  • Educational background (optional)
  • Learning preferences and settings
  • Communication preferences

Customer Support:

  • Information provided when you contact us for support
  • Correspondence records and communication history

Information Automatically Collected

When you use our Service, we automatically collect certain information:

Usage Data:

  • Pages visited and features used
  • Time spent on different sections
  • Study progress and performance metrics
  • Practice test scores and completion rates
  • Login frequency and session duration

Device and Technical Information:

  • IP address
  • Browser type and version
  • Operating system
  • Device type and model
  • Screen resolution
  • Unique device identifiers

Location Information:

  • General geographic location based on IP address
  • Time zone information

Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies to:

  • Remember your login credentials and preferences
  • Analyze usage patterns and improve our Service
  • Provide personalized content and recommendations
  • Measure the effectiveness of our marketing campaigns

You can control cookie settings through your browser preferences, though disabling certain cookies may limit Service functionality.

2. Legal Bases for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal bases:

Contract Performance (Article 6(1)(b)):

  • Creating and managing your account
  • Processing subscriptions and payments
  • Providing access to exam preparation materials
  • Delivering customer support services

Legitimate Interests (Article 6(1)(f)):

  • Improving our Service and developing new features
  • Analyzing usage patterns and performance
  • Preventing fraud and ensuring security
  • Marketing communications (where consent is not required)
  • Administrative communications

Consent (Article 6(1)(a)):

  • Marketing communications (where required by law)
  • Non-essential cookies and tracking
  • Optional profile enhancements

Legal Obligation (Article 6(1)(c)):

  • Compliance with tax and accounting requirements
  • Responding to lawful requests from authorities
  • Maintaining records as required by law

Vital Interests (Article 6(1)(d)):

  • Protecting individuals from harm in emergency situations

You have the right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing based on consent before its withdrawal.

3. How We Use Your Information

We use your personal information for the following purposes, based on the legal bases outlined in Section 2:

Service Provision (Contract Performance):

  • Create and manage your account
  • Process subscriptions and payments
  • Provide access to exam preparation materials
  • Track your study progress and performance
  • Customize your learning experience

Communication (Contract Performance/Legitimate Interests):

  • Send account-related notifications
  • Provide customer support and respond to inquiries
  • Send educational content and study tips
  • Notify you of Service updates and new features
  • Send marketing communications (based on consent or legitimate interests as applicable)

Service Improvement (Legitimate Interests):

  • Analyze usage patterns to improve our platform
  • Develop new features and content
  • Conduct research and analytics
  • Optimize user experience and performance

Legal and Security (Legal Obligation/Legitimate Interests):

  • Comply with legal obligations
  • Protect against fraud and abuse
  • Enforce our Terms of Service
  • Maintain Service security and integrity

Business Operations (Legitimate Interests):

  • Process transactions and maintain financial records
  • Conduct internal audits and quality assurance
  • Manage business relationships with partners

4. How We Share Your Information

We do not sell, trade, or rent your personal information to third parties. Under GDPR, we may share your information in the following limited circumstances:

Service Providers (Article 28 Processors): We work with trusted third-party service providers who process personal data on our behalf under strict data processing agreements:

  • Payment processors (for subscription billing)
  • Cloud hosting providers (for data storage and processing)
  • Analytics providers (for usage analysis)
  • Email service providers (for communications)
  • Customer support platforms

These processors are contractually obligated to:

  • Process data only according to our documented instructions
  • Implement appropriate technical and organizational security measures
  • Not use your data for their own purposes
  • Delete or return data upon termination of services
  • Assist with data subject rights requests

Legal Requirements (Article 6(1)(c) and (f)): We may disclose your information when required by law or when we have a legitimate interest in doing so:

  • Valid court orders or subpoenas
  • Government investigations and regulatory requirements
  • Protection of our rights, property, or safety
  • Prevention of fraud or illegal activities
  • Compliance with tax and accounting obligations

Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new entity. We will provide notice and ensure the same level of data protection.

Third Countries and International Organizations: If we transfer personal data outside the European Economic Area (EEA), we ensure adequate protection through:

  • European Commission adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules
  • Other appropriate safeguards approved by supervisory authorities

Aggregated Data: We may share aggregated, de-identified information that cannot reasonably be used to identify you personally.

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

Technical Safeguards:

  • Encryption of data in transit and at rest
  • Secure socket layer (SSL) technology
  • Regular security assessments and monitoring
  • Access controls and authentication mechanisms
  • Firewall protection and intrusion detection

Organizational Measures:

  • Employee training on data protection
  • Limited access to personal information on a need-to-know basis
  • Regular review of security policies and procedures
  • Incident response procedures

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you of any material breaches as required by law.

6. Data Retention

Under GDPR Article 5(1)(e), we retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements.

Account Information:

  • Active accounts: Retained while your account is active
  • Inactive accounts: Retained for 3 years after last login, then deleted
  • Closed accounts: Most data deleted within 30 days, with some information retained for legal compliance (up to 7 years)

Usage and Analytics Data:

  • Detailed usage logs: Retained for 2 years
  • Aggregated analytics: May be retained indefinitely in anonymized form
  • Performance data: Retained for 3 years for service improvement

Payment Information:

  • Transaction records: Retained for 7 years for accounting and tax compliance
  • Payment card data: Not stored (processed by PCI-compliant third parties)
  • Billing addresses: Retained while account is active plus 1 year

Communication Records:

  • Customer support: Retained for 3 years for quality assurance
  • Marketing communications: Until you unsubscribe or object
  • Legal notices: Retained as required by applicable law

Security and Fraud Prevention:

  • Security logs: Retained for 1 year
  • Fraud prevention data: Retained for 5 years or as required by law

We regularly review our retention practices and will securely delete or anonymize your information when it is no longer needed. You may request deletion of your data subject to our legal obligations and legitimate interests.

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights regarding your personal data:

Right of Access (Article 15):

  • Request confirmation of whether we process your personal data
  • Obtain a copy of your personal data and information about processing
  • We will respond within one month and provide information free of charge

Right to Rectification (Article 16):

  • Request correction of inaccurate or incomplete personal data
  • We will correct inaccurate data without undue delay

Right to Erasure/"Right to be Forgotten" (Article 17):

  • Request deletion of your personal data when:
    • The data is no longer necessary for the original purpose
    • You withdraw consent and there's no other legal basis
    • You object to processing and there are no overriding legitimate grounds
    • The data has been unlawfully processed
  • Note: This right may be limited by legal obligations or legitimate interests

Right to Restriction of Processing (Article 18):

  • Request restriction of processing when:
    • You contest the accuracy of the data
    • Processing is unlawful but you don't want erasure
    • We no longer need the data but you need it for legal claims
    • You've objected to processing pending verification of legitimate grounds

Right to Data Portability (Article 20):

  • Receive your personal data in a structured, commonly used, machine-readable format
  • Request direct transmission to another controller where technically feasible
  • Applies only to data processed based on consent or contract

Right to Object (Article 21):

  • Object to processing based on legitimate interests or public task
  • Object to direct marketing (including profiling) at any time
  • We will stop processing unless we demonstrate compelling legitimate grounds

Right to Withdraw Consent (Article 7(3)):

  • Withdraw consent at any time where processing is based on consent
  • Does not affect the lawfulness of processing before withdrawal

Right to Lodge a Complaint (Article 77):

  • File a complaint with your local data protection authority
  • Contact information for EU supervisory authorities: https://edpb.europa.eu/about-edpb/board/members_en

Exercising Your Rights: To exercise any of these rights, contact us using the information in Section 12. We will:

  • Respond within one month (extendable by two months for complex requests)
  • Verify your identity before processing requests
  • Provide information about any fees (generally free of charge)
  • Explain any limitations or refusals

Automated Decision-Making and Profiling (Article 22): We may use automated processing to personalize your learning experience and recommend study materials. You have the right to:

  • Request human intervention in automated decision-making
  • Express your point of view regarding automated decisions
  • Contest automated decisions that significantly affect you

8. Additional User Rights and Choices

Account Management: You can access and update certain information through your account settings, including:

  • Profile information and preferences
  • Communication preferences and consent settings
  • Study preferences and goals
  • Marketing subscription status

Cookie Consent Management: We use a cookie consent management system that allows you to:

  • Accept or reject non-essential cookies
  • Modify your cookie preferences at any time
  • Access detailed information about each cookie category

Marketing Communications: You can manage marketing communications by:

  • Clicking the unsubscribe link in our emails
  • Updating your preferences in your account settings
  • Contacting our Data Protection Officer
  • Withdrawing consent for marketing cookies

Data Export: You can request a copy of your data in a portable format through:

  • Your account settings (for basic data export)
  • Contacting customer support for comprehensive data export
  • Using our data portability request form

9. International Data Transfers

Data Transfer Outside the EEA: As PrepNexus may operate globally, your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) that may not have equivalent data protection laws.

Safeguards for International Transfers: When we transfer personal data outside the EEA, we ensure adequate protection through:

European Commission Adequacy Decisions:

  • We may transfer data to countries that the European Commission has determined provide adequate protection
  • Current list available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

Standard Contractual Clauses (SCCs):

  • We use the European Commission's Standard Contractual Clauses for transfers to third countries
  • These clauses provide appropriate safeguards for your personal data
  • Copies of SCCs are available upon request

Binding Corporate Rules:

  • Where applicable, we may rely on Binding Corporate Rules approved by EU supervisory authorities

Additional Safeguards:

  • Regular monitoring of third-country data protection developments
  • Assessment of local laws that may impact data protection
  • Implementation of supplementary measures where necessary
  • Data localization where required by law

Your Rights Regarding International Transfers:

  • Right to obtain information about the safeguards in place
  • Right to obtain a copy of the safeguards (where not commercially sensitive)
  • Right to object to transfers where no adequate safeguards exist

10. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately, and we will delete such information.

For users between 13 and 18, we recommend parental guidance and supervision when using our Service.

11. Third-Party Links and Services

Our Service may contain links to third-party websites, applications, or services. This Privacy Policy does not apply to these third parties. We are not responsible for the privacy practices of other websites or services. We encourage you to review the privacy policies of any third-party services you visit.

12. Changes to This Privacy Policy

Notification of Changes: We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Under GDPR, we will provide appropriate notice of material changes:

Material Changes: For significant changes that affect your rights or how we process your data:

  • Email notification to your registered email address (at least 30 days before effective date)
  • Prominent notice on our website and Service
  • In-app notification upon next login
  • For some changes, we may seek renewed consent

Minor Changes: For non-material changes (such as clarifications or administrative updates):

  • Updated policy posted on our website
  • Notice of the update date

Your Options: When we notify you of material changes:

  • You may continue using the Service under the new policy
  • You may object to the changes and exercise your rights (including account deletion)
  • For changes requiring consent, you may withdraw consent

Record Keeping: We maintain records of previous versions of this Privacy Policy and the dates of changes for transparency and compliance purposes.

Continued Use: Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acknowledgment of the changes, except where additional consent is required.

13. Contact Information and Data Protection Officer

General Privacy Inquiries:

  • Email: support@prepnexus.com

Data Protection Officer: Under GDPR Article 37, we have appointed a Data Protection Officer (DPO) who can be reached at:

  • Email: support@prepnexus.com

The DPO is responsible for:

  • Monitoring GDPR compliance
  • Conducting data protection impact assessments
  • Serving as contact point for supervisory authorities
  • Providing data protection training and advice
  • Handling data subject rights requests

Supervisory Authority: You have the right to lodge a complaint with your local data protection authority. For EU residents, you can find your supervisory authority at: https://edpb.europa.eu/about-edpb/board/members_en

Response Times:

  • Privacy inquiries: Within 5 business days
  • Data subject rights requests: Within 1 month (may be extended by 2 months for complex requests)
  • Data breach notifications: Within 72 hours to supervisory authorities, without undue delay to affected individuals

14. State-Specific Rights

California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of the sale of personal information (Note: We do not sell personal information)
  • Right to non-discrimination for exercising CCPA rights

Other State Laws

Residents of other states may have additional rights under applicable state privacy laws. Please contact us for information about your specific rights.

This Privacy Policy was last updated on 29th July 2025 and is effective as of 29th July 2025.